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Abstract 

We  introduce  a  fixedpoint  algorithm  for  verifying  safety  properties  of  hybrid  systems  with  differ¬ 
ential  equations  that  have  right-hand  sides  that  are  polynomials  in  the  state  variables.  In  order 
to  verify  non-trivial  systems  without  solving  their  differential  equations  and  without  numerical 
errors,  we  use  a  continuous  generalization  of  induction,  for  which  our  algorithm  computes  the  re¬ 
quired  differential  invariants.  As  a  means  for  combining  local  differential  invariants  into  global 
system  invariants  in  a  sound  way,  our  fixedpoint  algorithm  works  with  a  compositional  verification 
logic  for  hybrid  systems.  To  improve  the  verification  power,  we  further  introduce  a  saturation 
procedure  that  refines  the  system  dynamics  successively  with  differential  invariants  until  safety 
becomes  provable.  By  complementing  our  symbolic  verification  algorithm  with  a  robust  version 
of  numerical  falsification,  we  obtain  a  fast  and  sound  verification  procedure.  We  verify  roundabout 
maneuvers  in  air  traffic  management  and  collision  avoidance  in  train  control. 


1  Introduction 


Reachability  questions  for  systems  with  complex  continuous  dynamics  are  among  the  most  chal¬ 
lenging  problems  in  verifying  embedded  systems.  Hybrid  systems  [16,  13,  8,  1]  are  models 
for  these  systems  with  interacting  discrete  and  continuous  transitions,  with  the  latter  being  gov¬ 
erned  by  differential  equations.  For  simple  systems  whose  differential  equations  have  solutions 
that  are  polynomials  in  the  state  variables,  quantifier  elimination  [6]  can  be  used  for  verifica¬ 
tion  [13,  24,  2,  26].  Unfortunately,  this  symbolic  approach  does  not  scale  to  systems  with  compli¬ 
cated  differential  equations  whose  solutions  do  not  support  quantifier  elimination  (e.g.,  when  they 
are  transcendental  functions)  or  cannot  be  given  in  closed  form. 

Numerical  or  approximation  approaches  [3,  18,  28]  can  deal  with  more  general  dynamics. 
However,  numerical  or  approximation  errors  need  to  be  handled  carefully  as  they  easily  cause 
unsoundness.  More  specifically,  we  have  shown  previously  that  even  single  image  computations 
of  fairly  restricted  classes  of  hybrid  systems  are  undecidable  by  numerical  computation  [28].  Thus, 
numerical  approaches  can  be  used  for  falsification  [18,  9]  but  not  (ultimately)  for  verification. 

In  this  paper,  we  present  an  approach  that  combines  the  soundness  of  symbolic  approaches  [13, 
2,  26,  27]  with  support  for  nontrivial  dynamics,  which  is  otherwise  dominant  in  numerical  ap¬ 
proaches  [3,  18,  28,  9].  During  continuous  transitions,  the  system  follows  a  solution  of  its  differ¬ 
ential  equation.  But  for  nontrivial  dynamics,  these  solutions  are  much  more  complicated  than  the 
original  equations.  Solutions  quickly  become  transcendental  even  if  the  differential  equations  are 
linear.  To  overcome  this,  we  handle  continuous  transitions  based  on  their  local  dynamics,  which  is 
described  by  their  differential  equations.  We  use  differential  induction  [25],  a  continuous  general¬ 
ization  of  induction  that  works  with  the  differential  equations  themselves  instead  of  their  solutions. 
For  the  induction  step,  we  give  a  condition  that  can  be  checked  easily.  It  uses  differential  invari¬ 
ants,  i.e.,  properties  whose  derivative  holds  true  in  the  direction  of  the  vector  field  of  the  differential 
equation.  The  derivative  is  a  directional  derivative  in  the  direction  of  the  (vector  field  generated  by 
the)  differential  equation,  and  we  generalize  derivatives  from  functions  to  formulas  appropriately. 
For  this  to  work  in  practice,  the  most  crucial  steps  are  to  find  sufficiently  strong  local  differential 
invariants  for  differential  equations  and  compatible  global  invariants  for  the  hybrid  system. 

To  this  end,  we  introduce  a  sound  verification  algorithm  for  hybrid  systems  that  computes 
the  differential  invariants  and  system  invariants  in  a  fixedpoint  loop.  We  follow  the  invariants  as 
fixedpoints  paradigm  [5]  using  a  verification  logic  that  is  generalized  to  hybrid  systems  accord¬ 
ingly  [26,  27].  For  combining  multiple  local  differential  invariants  into  a  global  invariant  in  a 
sound  way,  we  exploit  the  closure  properties  of  the  underlying  verification  logic  [26,  27]  by  form¬ 
ing  appropriate  logical  combinations  of  multiple  safety  statements.  In  addition,  we  introduce  a 
differential  saturation  process  that  refines  the  hybrid  dynamics  successively  with  auxiliary  differ¬ 
ential  invariants  until  the  safety  statement  becomes  an  invariant  of  the  refined  system.  Finally, 
each  fixedpoint  iteration  of  our  algorithm  can  be  combined  with  numerical  falsification  to  accel¬ 
erate  the  overall  symbolic  verification  in  a  sound  way.  We  validate  our  algorithm  by  verifying 
aircraft  roundabout  maneuvers  [34,  28]  and  train  control  applications  [29]. 

In  other  approaches  [33,  32]  invariants  only  work  for  systems  without  inequalities  [33,  32]  or 
can  only  be  generated  for  linear  systems  [32].  The  approach  of  Prajna  et  al.  [30]  requires  global 
optimization  over  the  set  of  all  proof  attempts  for  the  whole  system  at  once,  which  is  infeasi- 
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q:— on]  /*  initial  location  is  on  */ 

(  (Iq  =  on]  x'  =  1  A  x  <  9) 

U  (Iq  —  on  Ax  >  5;  x  x  +  1;  q '■=  off) 

U  (?g  =  off]  x'  =  -1) 

U  (7q  =  offAx<2]  q  =  on]  lx  <  9))* 

Figure  1:  Natural  hybrid  program  rendition  of  hybrid  automaton  (simple  water  tank) 

ble.  Unfortunately,  even  for  low-degree  invariants,  this  requires  solving  optimization  problems  in 
several  thousand  dimensions  for  aircraft  maneuvers  [34,  28]  and  train  control  case  studies  [29]. 


2  Hybrid  Programs  and  Differential  Dynamic  Logic 

As  operational  models  for  hybrid  systems,  we  use  hybrid  programs  (HP),  a  program  notation  for 
hybrid  automata  (HA)  [16].  HP  can  be  decomposed  syntactically  into  fragments:  subprograms 
which  correspond  to  partial  executions  of  only  a  part  of  the  full  HP  (programs,  are  easier  to  split 
structurally  into  parts  than  graphs,  because  handling  dangling  edges  between  graph  fragments  is 
complicated).  This  is  important  as  our  verification  algorithm  recursively  decomposes  an  HP  into 
fragments  a1} ...  ,an  (e.g.,  to  find  local  invariants  for  each  a,)  and  recombines  corresponding 
correctness  statements  about  these  fragments  a*  later. 

Hybrid  Programs.  In  order  to  represent  HA  [16]  textually  as  an  HP,  we  represent  each  discrete 
and  continuous  transition  as  a  sequence  of  statements,  with  a  nondeterministic  choice  (U)  between 
these  transitions.  For  instance,  the  second  line  in  Fig.  1  represents  a  continuous  transition.  It 
tests  (denoted  by  ?q  =  on)  if  the  current  location  q  is  on,  and  then  follows  a  differential  equation 
restricted  to  invariant  region  x  <  9  (i.e.,  the  conjunction  x'  —  1  A  x  <  9).  The  third  line  tests  the 
guard  x  >  5  when  in  state  on,  resets  a:  by  a  discrete  assignment,  and  then  changes  location  q  to  off. 
The  *  at  the  end  indicates  that  the  transitions  of  a  HA  repeat  indefinitely.  Alternatively,  the  resulting 
HP  in  Fig.  1  can  be  considered  as  the  essential  part  of  a  program  exported  from  Stateflow/Simulink 
enriched  with  differential  equations  for  the  continuous  dynamics.  Every  safety  property  that  this 
HP  satisfies  is  fulfilled  for  all  deterministic  implementation  refinements. 

Formally,  let  V  be  a  set  of  state  variables  of  the  system  including  auxiliary  variables.  As 
terms  we  allow  polynomials  over  variables  in  V  with  rational  constants.  To  make  a  structural 
decomposition  of  HP  into  fragments  possible,  each  operation  of  a  HP  only  has  a  single  effect. 
There  are  separate  classes  of  program  statements  with  purely  discrete  effect,  purely  continuous 
effect,  and  statements  purely  for  regulating  their  interaction.  Hybrid  programs  (HP)  are  built 
with  the  statements  depicted  in  Tab.  1.  The  effect  of  a:  :=  9  is  an  instantaneous  discrete  jump 
assigning  6  to  x.  Instead,  x  :  =  random  randomly  assigns  any  real  value  to  x  by  a  nondeterministic 
choice.  During  a  continuous  evolution  x[  =  9i  A  •  •  •  A  x'n  =  9n  A  H,  all  conjuncts  need  to  hold. 
Its  effect  is  a  continuous  transition  controlled  by  the  differential  equation  x\  —  6 \, . .  .  ,  x'n  —  9n 
that  always  satisfies  the  arithmetic  constraint  H  (thus  remains  in  the  region  described  by  H ).  This 
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directly  corresponds  to  a  continuous  evolution  mode  of  a  HA.  The  effect  of  a  state  check  or  assert 
statement  7  H  is  a  skip  (i.e.,  no  change)  if  H  is  true  in  the  current  state  and  that  of  abort,  otherwise. 
The  non-deterministic  choice  a  U  j3  expresses  alternatives  in  the  behavior  of  the  hybrid  system. 
The  sequential  composition  a;  0  expresses  a  behavior  in  which  0  starts  after  a  finishes  (as  usual,  0 
never  starts  if  a  continues  indefinitely).  In  a  non-deterministic  repetition  a*,  the  HP  a  repeats  an 
arbitrary  number  of  times,  possibly  zero.  All  other  discrete  control  structures  are  definable  from 
the  primitives  in  Tab.  1  [15]. 

Formulas  of  d C.  Our  verification  algorithm  repeatedly  decomposes  and  recombines  HP.  As  a 
logical  framework  where  these  operations  are  sound,  we  use  a  logic  in  which  simultaneous  correct¬ 
ness  properties  about  multiple  subsystems  are  expressible.  The  differential  dynamic  logic  6C  [26, 
27]  is  an  extension  of  first-order  logic  over  the  reals  with  modal  formulas  like  [oi\(f>,  which  is  true 
iff  all  states  reachable  by  following  the  transitions  of  HP  a  satisfy  property  0  (safety). 

Definition  1  (d£  formulas)  The  formulas  of  dC  are  defined  by  the  following  grammar  (where  0\ 
and  d2  are  terms,  ~  €  {  =  .<,<,>,>},  0,  ip  are  formulas,  x  G  V,  and  a  is  an  HP  built  from  the 
statements  in  Tab.  1): 

Formulas  ::=  9\  ~  02  |  ~«j)  |0A'0|0V'0j0  — >  0  |  VA  0  |  3x  0  |  [a]0  . 

A  Hoare-triple  {0}a{0}  can  be  expressed  as  ip  — >  [a]0,  which  is  true  iff  all  states  reachable  by 
HP  a  satisfy  0  when  starting  from  an  initial  state  that  satisfies  ip.  Unlike  Hoare-logics,  dynamic 
logics  are  closed  under  logical  connectives  [31].  Hence,  we  can  express  simultaneous  correctness 
statements  about  multiple  fragments  a,:  using  conjuncts  [affi  A  [a2]0  2-  With  this,  a  proof  for  [a]0 
can  be  decomposed  soundly  into  [affi  A  [a2]0  2,  when  [a\<p  and  [af\(pi  A  [a2]02  are  equivalent  for 
appropriate  fragments  a,:  of  a  and  subproperties  or  of  <p.  In  turn,  if  A,  is  the  result  of  recursively 
applying  the  verification  algorithm  to  then  these  can  be  recombined  soundly  to  the  verifica¬ 

tion  result  0i  A  02  for  [a]0.  By  the  semantics  of  dC,  this  process  gives  a  sound  way  of  combining 
local  invariants  required  in  the  respective  subgoals  [«i]0j  to  a  global  system  invariant.  Finally,  dC 
and  its  proof  techniques  are  closed  under  quantification,  which  we  use  to  quantify  over  parameter 
choices  of  local  invariants.  For  instance,  3 p  ([«i]0i  A  [a2]02)  can  be  used  to  determine  if  there  is 


Table  1:  Statements  and  (informal)  effects  of  hybrid  programs  (HP) 


notation 

statement 

effect 

x  :=  9 

discrete  assignment 

assigns  term  9  to  variable  x  E  V 

x  :=  random 

nondet.  assignment 

assigns  any  real  value  tor  6  T 

x[  =  6i  A  . .  A  x'n  =  9n  A  H 

continuous  evolution 

diff.  equations  for  xt  <E  U  and  terms  0,, 
with  arithmetic  constraint  H  (domain) 

7H 

state  check 

test  formula  H  at  current  state 

a ;  /3 

seq.  composition 

HP  0  starts  after  HP  a  finishes 

a  Li  (5 

nondet.  choice 

choice  between  alternatives  HP  a  or  0 

a* 

nondet.  repetition 

repeating  HP  a  n-times  for  any  n  £  N 

3 


a  common  choice  for  parameter  p  that  makes  both  subgoals  true.  Liveness  properties  are 
expressible  using  {a)(f>  =  -i[a]~>(j),  which  is  true  iff  there  is  a  reachable  state  satisfying  q b. 

The  semantics  of  (AC  and  HP  is  a  Kripke  semantics  and  given  in  appendix  A. 


3  Inductive  Verification  by  Combining  Local  Fixedpoints 

For  verifying  safety  properties  of  hybrid  systems  without  having  to  solve  their  differential  equa¬ 
tions,  we  use  a  continuous  form  of  induction.  In  the  induction  step,  we  use  a  condition  on  direc¬ 
tional  derivatives  in  the  direction  of  the  vector  field  generated  by  the  differential  equation.  The 
resulting  properties  are  invariants  of  the  differential  equation  (whence  called  differential  invari¬ 
ants  [25]).  The  crucial  step  for  verifying  discrete  systems  by  induction  is  to  find  sufficiently  strong 
invariants  (e.g.,  for  loops  a*).  Similarly,  the  crucial  step  for  verifying  dynamical  systems  (which 
correspond  to  a  single  continuous  mode  of  a  hybrid  system)  by  induction  is  to  find  sufficiently 
strong  invariant  properties  of  the  differential  equation.  Consequently,  for  verifying  hybrid  systems 
inductively,  local  invariants  need  to  be  found  for  each  differential  equation  and  a  global  system 
invariant  needs  to  be  found  that  is  compatible  with  all  local  invariants. 

To  compute  the  required  invariants  and  differential  invariants,  we  combine  the  invariants  as 
fixedpoints  approach  from  [5]  with  the  lifting  of  verification  logics  to  hybrid  systems  from  [26,  27]. 
We  introduce  a  verification  algorithm  that  computes  invariants  of  a  system  as  fixedpoints  of  safety 
constraints  on  subsystems.  We  exploit  the  fact  that  HP  can  be  decomposed  into  subsystems  and 
that  (AC  can  combine  safety  statements  about  multiple  subsystems  simultaneously. 

A  safety  statement  corresponds  to  a  (AC  formula  — >  [a](p  with  an  HP  a,  a  safety  property  o 
about  its  reachable  states,  and  an  arithmetic  formula  that  symbolically  characterizes  the  set  of 
initial  states.  Validity  of  formula  — >  [a](f>  (i.e.,  truth  in  all  states)  corresponds  to  0  being  true  in 
all  states  reachable  by  HP  a  from  initial  states  that  satisfy  f.  Our  verification  algorithm  defines 
the  function  prove  if  — >  [a](p)  for  verifying  this  safety  statement  recursively. 

3.1  Verification  by  Symbolic  Decomposition 

The  cases  of  prove  where  (AC  immediately  enables  us  to  verify  a  property  of  an  HP  by  decomposing 
it  into  a  property  of  its  parts  are  shown  in  Fig.  2.  In  the  interest  of  a  concise  presentation,  the  case 
in  line  1  introduces  an  auxiliary  variable  x  to  handle  discrete  assignments  by  substituting  x  for  x. 
For  instance,  x  >  2  — >  [x  :=  x  —  l\x  >  0  is  shown  by  proving  x>2/\x  =  x  —  1— >•  x  >  0.  The 
actual  implementation  of  our  algorithm  uses  optimizations  to  avoid  these  auxiliary  variables  [27] . 
State  checks  1H  are  shown  by  assuming  the  test  succeeds,  i.e.,  H  holds  true  (line  3),  nondetermin- 
istic  choices  split  into  their  alternatives  (line  5),  sequential  compositions  are  proven  using  nested 
modalities  (line  7),  and  random  assignments  are  handled  by  universal  quantification  (line  9). 

The  base  case  in  line  11,  where  0  is  a  formula  of  first-order  real  arithmetic,  can  be  proven 
by  real  quantifier  elimination  [6]  or  semide finite  programming  [23].  Despite  the  complexity  of 
real  arithmetic,  this  is  feasible,  because  the  formulas  resulting  from  our  algorithm  do  not  depend 
on  the  solutions  of  differential  equations  but  only  their  right-hand  sides.  Using  a  temporary  form 
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of  Skolemization  together  with  Deskolemization,  quantifier  elimination  can  be  lifted  to  eliminate 
quantifiers  from  dC  formulas.  We  refer  to  previous  work  [27,  26]  for  details. 

The  algorithm  in  Fig.  2  recursively  reduces  safety  of  HP  to  properties  of  continuous  evolutions 
or  of  repetitions,  which  we  verify  in  the  next  sections. 


function 

return 

function 

return 

function 

return 

function 

return 

function 

return 

function 

return 


prove  (0  — >  [x  :=6](f>): 

prove  (0  A  x  =  9  — >  0*)  where  i  is  a  new  auxiliary  variable 
prove  (0  — >  [?77]0 ) : 
prove  (0  A  77  — >  0) 
prove  ( 0  — >  [a  U  /3]0 ) : 

prove  (0  — >  [a]0)  and  prove  (0  — >  [0]0)  /*thus  0  — >  [a]0  A  [0]0*/ 

prove  (0  — >  [a;  0]0 ) : 

prove  (0  — >  [a][/?]0) 

prove  ( 0  — >  0  :=  random](p ) : 

prove  (0  — >  Va;0) 

prove(0— >  0)  where  isFirstOrder  (0) : 
QuantifierElimination  (0  — >  0) 

Figure  2:  d£ -based  verification  by  symbolic  decomposition 


3.2  Discrete  and  Differential  Induction,  Differential  Invariants 

In  the  sequel,  we  present  algorithms  for  verifying  loops  by  discrete  induction  and  continuous  evo¬ 
lutions  by  differential  induction,  which  is  a  continuous  form  of  induction.  In  either  case,  we  prove 
that  an  invariant  F  holds  initially  (in  the  states  characterized  symbolically  by  0,  thus  0  — >  F  is 
valid)  and  finally  entails  the  postcondition  0  (i.e.,  F  — >  0).  The  cases  differ  in  their  induction  step. 


Definition  2  (Discrete  induction)  Formula  F  is  a  (discrete)  invariant  o/0  — >  [a*]0  iff  the  follow¬ 
ing  formulas  are  valid: 

1.  0  — >  F  (induction  start),  and 

2.  F  — >  [a\F  (induction  step). 

An  invariant  is  sufficiently  strong  if  F  — »  0  /.s'  va//d 

Definition  3  (Continuous  invariants)  Let  V  be  a  differential  equation.  Formula  F  is  a  continu¬ 
ous  invariant  of  ip  — >  [77  A  77]  0  iff  the  following  formulas  are  valid: 

1.  ip  A  77  — >  71  (induction  start),  and 

2.  F  — >•  [77  A  77]  F  (induction  step). 
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Again,  a  continuous  invariant  is  sufficiently  strong  if  F  — >  o  is  valid. 


To  prove  that  F  is  a  continuous  invariant,  it  is  sufficient  to  check  a  condition  on  the  directional 
derivatives  of  all  terms  of  the  formula,  which  expresses  that  no  atomic  subformula  of  F  changes 
its  truth-value  along  the  dynamics  of  the  differential  equation.  This  condition  is  much  easier  to 
check  than  a  reachability  property  (F  — >  [D  A  II]  F)  of  a  differential  equation.  Applications  like 
aircraft  maneuvers  need  invariants  with  mixed  equations  and  inequalities.  Thus,  we  generalize 
directional  derivatives  from  functions  to  logical  formulas. 

Definition  4  (Differential  induction)  Let  T>  be  the  differential  equation  system 


x\  =  Q\  A  •  •  •  A  x'n  =  6n  . 

Formula  F  is  a  differential  invariant  off;  —*  [D  A  II]o  iff  the  following  formulas  are  valid: 

1.  A  H  — >  F  and 

2.  H  -f 


where  V  -p  F  is  defined  as  the  conjunction  of  all  directional  derivatives  of  atomic  formulas  in  F  in 
the  direction  of  the  vector  field  ofV  (the  partial  derivative  ofb  by  x%  is 


VvF  =  f\ 

(b~c)£F 


for  ~  e  {=,>,>,<,<}• 


Proposition  1  (Principle  of  differential  induction)  All  differential  invariants  are  continuous  in¬ 
variants  ( the  proof  is  in  appendix  B.l). 


Figure  3:  Differential  invariant  F 

The  region  corresponding  to  a  differential  invariant  F  is  illustrated  in  Fig.  3.  Formula  V  p  F  is  a 
directional  derivative  of  F  in  the  direction  of  the  dynamics  of  V.  Intuitively,  formula  VpF  is  true 
if  the  gradient  arrows  are  pointing  inside  the  (possibly  unbounded)  region  consisting  of  the  points 
where  F  is  true.  In  Sections  3. 4-3. 6,  we  present  algorithms  for  finding  differential  invariants  for 
differential  equations,  and  for  finding  global  invariants  for  repetitions. 
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Xi  yi 


Figure  4:  Roundabout  maneuvers  for  aircraft  collision  avoidance. 


3.3  Example:  Flight  Dynamics  in  Air  Traffic  Collision  Avoidance 

Aircraft  collision  avoidance  maneuvers  resolve  conflicting  flight  paths,  e.g.,  by  roundabout  ma¬ 
neuvers  [34],  see  Fig.  4a-b.  Their  non-trivial  dynamics  makes  safe  separation  of  aircraft  difficult 
to  verify  [34,  21,  10,  7,  28,  14,  17].  The  parameters  of  two  aircraft  at  the  respective  planar  posi¬ 
tions  x  =  (xi,  x2)  €  M2  and  y  =  (i]\,  y2)  with  angular  orientation  d  and  q  are  illustrated  in  Fig.  4c 
(with 'd  —  0).  Their  dynamics  is  determined  by  their  linear  speeds  v  e  M  and  u  e  M  and  by  their 
angular  speeds  and  pel,  see,  e.g.,  [34]  for  details: 

x\  =  v  cos  d  x'2  =  v  sin  d 

y\  =  u  cos  ?  y'2  =  u  sin 

In  safe  flight  configurations,  aircraft  are  separated  by  distance  >p: 

(®i  -  yif  +  (x2  -  V2)2  >  p 2  •  (2) 


■&'  =  u 


=  Q 


(1) 


To  handle  the  transcendental  functions  in  (1),  we  axiomatize  sin  and  cos  by  differential  equations 
and  reparametrize  the  system  using  a  linear  velocity  vector  d  —  [d\,  d2)  (v  cos  d ,  v  sin  d)  e  M2, 
which  describes  both  the  linear  velocity  ||d||  :=  \J d\  +  d\  =  v  and  orientation  of  the  aircraft  in 
space,  see  Fig.  4c: 

x\  =  di  x2  =  d2  d[  =  —ujd2  d2  =  ud\  t'  =  1 

y[  =  e  i  y2  —  e2  e[  =  -ge2  e2  =  Qe±  s'  =  1 


Equations  (JF)  and  (1)  are  equivalent  up  to  reparameterization.  Variables  t  and  s  are  additional 
clocks  to  coordinate  collision  avoidance  maneuvers. 

We  can  show,  e.g.,  that  d\  +  d2  >  a 2  is  a  differential  invariant  of  (Ty. 


Vjr(d1  +  d2>  a  )  =  V(^=_a,d2A^=u;d1)(^i  +  d2  >  a  ) 

=  +  >  |!(-^)  + 

<7ai  dd2  od\  od2 

=  2c?i( — ujd2)  -f-  2,d-2ujdi  dy  0  . 


3.4  Local  Fixedpoint  Computation  for  Differential  Invariants 

Fig.  5  depicts  the  fixedpoint  algorithm  for  constructing  differential  invariants  for  each  continuous 
evolution  V  A  H  with  a  differential  equation  system  V.  The  algorithm  in  Fig.  5  (called  Differential 
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1  function  pro  ve  {if  — >  [D  A  H]<f> ) : 

2  if  prove  (Vc/(77  — >  0) )  then 

3  return  true  /*  safety  property  proven  */ 

4  for  each  F  e  Candidates  (0  — >  [22  A  77]0 ,  77)  do 

5  if  prove  {if  A  77  — >  F)  and  prove  (Vc/(77  — >  V^F) )  then 

6  77  :=  77  A  F  /*  refine  by  differential  invariant  */ 

7  goto  2;  /*  repeat  fixedpoint  loop  */ 

8  end  for 

9  return  ’’not  provable  using  candidates” 

Figure  5:  Fixedpoint  algorithm  for  differential  invariants  {differential  saturation) 


Saturation )  successively  refines  the  domain  77  by  differential  invariants  until  saturation,  i.e.,  77  ac¬ 
cumulates  enough  information  to  become  a  strong  invariant  that  implies  postcondition  0  (line  2). 
If  domain  77  already  entails  0,  then  if  — >  [D  A  77] 0  is  proven  (line  2).  Otherwise,  the  algorithm 
considers  candidates  F  for  augmenting  77  (line  4).  If  F  is  a  differential  invariant  (line  5),  then  77 
can  soundly  be  refined  to  77  A  F  (line  6)  without  affecting  the  states  reachable  by  V  A  77  (Proposi¬ 
tion  2  below).  Then,  the  fixedpoint  loop  repeats  (line  7).  At  each  iteration  of  this  fixedpoint  loop, 
the  previous  invariant  77  can  be  used  to  prove  the  next  level  of  refinement  77  A  F  (line  5).  The  re¬ 
finement  of  the  dynamics  at  line  6  is  correct  by  the  following  proposition,  using  that  the  conditions 
in  line  5  imply  that  F  is  a  differential  invariant  and,  thus,  a  continuous  invariant  by  Proposition  1. 
(A  proof  is  in  appendix  B.2.) 

Proposition  2  (Differential  saturation)  If  F  is  a  continuous  invariant  of  ip  — >  [DA  Il]<j),  then 
if  — >  [D  A  77]  f  and  if  — >  [V  A  77  A  F\(f  are  equivalent. 

This  progressive  differential  saturation  turns  out  to  be  crucial  in  practice.  For  instance,  the  aircraft 
separation  property  (2)  cannot  be  proven  until  (F)  has  been  refined  by  invariants  for  d  and  e, 
because  these  determine  x'  and  y' . 

The  function  Candidates  determines  candidates  for  induction  (line  4)  depending  on  transitive 
differential  dependencies,  as  will  be  explained  in  Section  3.5.  When  these  are  insufficient  for 
proving  if  — >  [77  A  77] 0,  the  algorithm  fails  (line  9,  with  improvements  in  subsequent  sections). 
Finally,  Vc/A  denotes  the  universal  closure  of  0.  It  is  required  in  lines  2  and  5,  because  the  respective 
formulas  need  to  hold  in  cdl  states  (that  satisfy  H),  which  we  will  improve  on  in  Section  4. 

3.5  Dependency-directed  Induction  Candidates 

In  this  section,  we  construct  likely  candidates  for  differential  induction  (function  Candidates). 
Later,  we  use  the  same  procedure  for  finding  global  loop  invariants.  We  construct  two  kinds  of  can¬ 
didates  in  an  order  induced  by  differential  dependencies.  Our  algorithm  successively  enriches  if 
with  more  precise  information  about  the  symbolic  prestate  as  obtained  by  the  symbolic  decompo¬ 
sitions  and  proof  steps  in  Fig.  2  and  5.  We  look  for  invariant  symbolic  state  information  in  if  and  0 
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by  selecting  subformulas  that  are  not  yet  contained  in  H.  In  practice,  this  gives  particularly  good 
candidates  for  highly  parametric  hybrid  systems. 

We  generate  additional  parametric  invariants.  Let  V  =  {xi, . . . ,  xn}  be  a  set  of  variables.  We 
choose  fresh  names  a®  in  for  formal  parameters  of  the  invariant  candidates  and  build  polynomi¬ 
als  pi, . . . ,  pk  of  degree  d  with  variables  V  using  the  formal  parameters  as  symbolic  coefficients: 

pi  :=  aiL-,iuXi  ■  ■  ■  xn  (for  1  <  l  <  k)  ■ 

*1- \ - h  in<d 

We  define  the  set  of  parametric  candidates  (operator  V  is  accordingly): 

{i  k 

A  Pi  >  0  A  f\  pi  =  0  |  0  <  i  <  A; 

1=1  l=i+ 1 

For  instance,  the  parametric  candidate  o0, o  +  « i ,od 1  +  a0, ix2  =  0  yields  a  differential  invariant 
of  (dF)  for  the  choice  a0, o  =  0,  «l0  =  1,  a0, i  =  to.  By  simple  combinatorics,  ParaForm  con¬ 
tains  k  +  1  candidates  with  k  (nVl)  formal  parameters  a-  j  ln ,  which  are  existentially  quanti¬ 
fied.  Existence  of  a  common  satisfying  instantiation  for  these  parameters  can  be  expressed  by 
adding  3af^  i  to  the  resulting  d£  formulas.  For  this  to  be  feasible,  the  number  of  parameters  is 
crucial,  which  we  minimize  by  respecting  (differential)  dependencies. 

To  accelerate  the  differential  saturation  process  in  Section  3.4,  it  is  crucial  to  explore  candidates 
in  a  promising  order  from  simple  to  complex,  because  the  algorithm  in  Fig.  5  uses  successful  differ¬ 
ential  invariants  to  refine  the  dynamics,  thereby  simplifying  subsequent  proofs.  For  instance,  (2) 
is  only  provable  after  the  dynamics  has  been  refined  with  invariants  for  d  and  e.  We  construct 
candidates  in  a  natural  order  based  on  variable  occurrence  that  is  consistent  with  the  differential 
dependencies  of  the  differential  equations.  For  a  differential  equation  T>,  variable  x  depends  on 
variable  y  according  to  the  differential  equation  system  X>  if  y  occurs  on  the  right-hand  side  for  x' 
(or  transitively  so).  The  resulting  set  of  dependencies  is  the  transitive  closure  of: 

depend(V)  :=  {( x,y )  |  (V  —  9)  G  V  and  y  occurs  in  9}  . 

For  the  differential  equation  system  (JF),  we  determine  the  differential  dependencies  indicated  as 
arrows  (pointing  to  the  dependent  variables  x)  in  Fig.  6. 

From  these  dependencies  we  determine  an  order  on  candidates.  The  idea  is  that,  as  the  value 
of  X\  depends  on  that  of  d  \ ,  it  makes  sense  to  look  for  invariant  expressions  of  d\  first,  because  re¬ 
finements  with  these  help  differential  saturation  in  proving  invariant  expressions  involving  also  X\. 
We  order  variables  by  differential  dependencies,  which  resembles  the  back  substitution  order  in 
Gaussian  elimination  (if,  in  triangular  form,  x\  depends  on  d\  then  equations  for  d\  must  be  solved 
first).  Now  we  call  a  set  V  of  variables  a  cluster  of  the  differential  equation  V  iff  L  is  closed  with 
respect  to  depend(V),  i.e.,  variables  of  V  only  depend  on  variables  in  V.  The  resulting  variable 
clusters  for  system  (T)  are  marked  as  triangular  shapes  in  Fig.  6.  Finally,  we  choose  candidates 
from  ijj  and  ParaForm{k.  d.  V )  starting  with  candidates  F  whose  variables  lie  in  small  clusters  V. 
Thus,  the  differential  invariant  d\  +  d%  >  a2  of  Section  3.3  within  cluster  {d2,  di,co}  will  be  dis¬ 
covered  before  invariants  like  d\  =  — tox2  that  involve  x2,  because  x-2  depends  on  d2.  Consequently, 
line  6  of  Fig.  5  makes  df  +  d2  —  a~  available  for  subsequent  checks  of  invariants  involving  x2. 
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3.6  Global  Fixedpoint  Computation  for  Loop  Invariants 

With  the  uniform  setup  of  dC,  we  can  adapt  the  algorithm  in  Fig.  5  easily  to  obtain  a  fixedpoint 
algorithm  for  loops  (ip  — >  [a*](p)  in  place  of  continuous  evolutions  (ip  —*  [D  A  H](p).  In  line  5  of 
Fig.  5,  the  induction  step  from  Def.  4  just  needs  to  be  replaced  by  the  step  for  loops  (Def.  2).  As 
an  optimization,  invariants  H  of  previous  iterations  can  be  exploited  as  refinements  of  the  hybrid 
system  dynamics: 

Proposition  3  (Loop  saturation)  If  H  is  a  discrete  invariant  of  ip — >  \a*)(p,  then  H  A  F  is  a  dis¬ 
crete  invariant  iff  ip  — >  F  and  H  A  F  — >  [a]  ( II  — >  F)  are  valid. 

The  proof  is  in  appendix  B.3.  The  induction  step  from  Proposition  3  can  generally  be  proven 
faster,  because  it  is  a  weaker  property  than  that  of  Def.  2.  For  sake  of  completeness,  the  resulting 
algorithm  is  given  in  appendix  D. 

To  adapt  our  approach  from  Section  3.5  to  loops,  we  use  discrete  data-flow  and  control-flow 
dependencies  of  a.  Dependencies  can  be  determined  immediately  from  the  syntax  of  HP.  There  is 
a  direct  data-flow  dependency  with  the  value  of  x  depending  on  y,  if  x  :=  0  or  x'  =  0  occurs  in  a 
with  a  term  6  that  contains  y.  Accordingly,  there  is  a  direct  control-flow  dependency ,  if,  for  any 
term  6,  x  :=  6  or  x'  =  9  occurs  in  a  after  a  ‘IH  containing  y. 


3.7  Interplay  of  Local  and  Global  Fixedpoint  Loops 

The  local  and  global  fixedpoint  algorithms  jointly  verify  correctness  properties  of  HP.  Their  in¬ 
terplay  needs  to  be  coordinated  with  fairness.  If  the  local  fixedpoint  algorithm  in  Fig.  5  does  not 
converge,  stronger  invariants  may  need  to  be  found  by  the  global  fixedpoint  algorithm  which  result 
in  stronger  preconditions  ip  for  the  local  algorithm.  Thus,  the  local  fixedpoint  algorithm  should 
stop  when  it  cannot  prove  its  postcondition,  either  because  of  a  counterexample  or  because  it  runs 
out  of  candidates  for  differential  invariants.  As  in  the  work  of  Prajna  [30],  the  degrees  of  paramet¬ 
ric  invariants,  therefore,  need  to  be  bounded  and  increased  iteratively.  As  in  [30],  there  is  no  natural 
measure  for  how  these  degrees  should  be  increased.  Instead,  we  exploit  the  fact  that  the  candidates 
of  Candidates  are  independent  and  we  explore  them  in  parallel  with  fair  time  interleaving. 


cluster  {x2l  d2,  di,u} 


\  cluster  {x\,  d\,  d2,uj} 


cluster  {d2j  di,u} 


cluster  {t} 


Figure  6:  Differential  dependencies  (arrows)  and  (triangular)  variable  clusters  of  (F) 
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3.8  Soundness 


Theorem  1  (Soundness)  The  verification  algorithm  in  Section  3  is  sound,  i.e.,  whenever  the  algo¬ 
rithm  prove (V’  — >  [a]0)  returns  “true”,  the  dC  formula  %P  — >  [a] 0  is  true  in  all  states,  i.e.,  all 
states  reachable  by  a  from  states  satisfying  u!  satisfy  o. 

A  proof  is  in  appendix  B.4.  Since  reachability  of  hybrid  systems  is  undecidable,  our  algorithm 
must  be  incomplete.  It  can  fail  to  converge  when  the  required  invariants  are  not  expressible  in 
first-order  logic.  The  existence  of  a  fixedpoint  in  dC  can  be  shown,  but  fixedpoints  are  not  always 
expressible  in  real  arithmetic  [27]. 


4  Optimizations 

4.1  Sound  Interleaving  of  Numerical  Simulation  of  Hybrid  Systems 

During  fixedpoint  computations,  wrong  choices  of  candidates  are  time  consuming.  Thus,  in  prac¬ 
tice,  it  is  important  to  discover  futile  attempts  quickly.  For  this,  we  use  non-exhau stive  numerical 
simulation  to  look  for  a  counterexample  for  each  candidate.  To  prevent  rejecting  good  candi¬ 
dates  due  to  numerical  errors,  we  discard  fragile  counterexamples.  We  consider  counterexamples 
with  distance  <e  to  safe  states  as  fragile,  because  small  numerical  perturbations  could  make  it  safe 
(right  x  marks  in  Fig.  7).  The  left  mark  in  7,  instead,  is  robust.  Robust  counterexamples  can  be  en¬ 
sured  by  replacing,  e.g.,  a  >  h  by  a  >  l>  +  £  in  the  formulas  given  to  numerical  reachability  simula¬ 
tion  for  some  estimate  e  >  0  of  the  numerical  error.  Unlike  in  other  approaches  [3,  18,  24,  30,  28], 
numerical  errors  are  not  critical  for  soundness,  because  safety  is  exclusively  established  by  sound 
symbolic  verification. 


Figure  7:  Robustness 

We  can  further  exploit  the  symbolic  decomposition  performed  by  our  algorithm  in  Section  3 
and  prefix  recursive  calls  to  proved  — ►  [«]</>)  with  a  partial  simulation  of  a.  Using  cylindric 
algebraic  decomposition  [6],  we  find  good  samples  of  states  satisfying  to  start  the  simulation 
of  a. 

4.2  Optimizations  for  the  Verification  Algorithm 

Formulas  with  variables  that  do  not  change  in  a  fragment  of  a  HP  are  trivial  invariants,  as  their 
truth-value  is  unaffected.  For  instance,  u  =  q  is  a  trivial  invariant  of  system  (PF).  Hence,  it  can  be 
used  as  an  invariant  without  proof.  A  formula  like  uo2(d\  +  d2)  >  r2  in  0,  instead,  is  not  trivially 
invariant,  because  di  changes  during  (PF).  Still,  it  has  invariant  consequences  like  uj  f  0.  To 
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make  use  of  these  direct  and  indirect  trivial  invariants  from  i/j ,  we  (soundly)  weaken  all  universal 
closures  of  the  form  Vc/<i>  in  lines  2  and  5  of  Fig.  5  by  ^  ►  Wci4>- 

5  Experimental  Results:  Aircraft  Roundabout  Maneuver 

As  an  example  with  non-trivial  dynamics,  we  analyze  aircraft  roundabout  maneuvers  [34].  Curved 
flight  as  in  roundabouts  is  challenging  for  verification,  because  of  its  transcendental  solutions.  The 
maneuver  in  Fig.  4a  from  [34]  and  the  maneuver  in  Fig.  4b  from  [28,  25]  are  not  flyable,  because 
they  still  involve  a  few  instant  turns.  A  flyable  roundabout  maneuver  without  instant  turns  is 
depicted  in  Fig.  8.  We  verify  safety  properties  for  most  (but  not  yet  all)  phases  of  Fig.  8  and  provide 
verification  results  in  Tab.  2.  We  present  details  in  appendix  C.  Note  that  the  required  invariants 
for  the  roundabout  maneuver  cannot  even  be  found  from  characteristic  sets  of  Differential  Grobner 
Bases  [20]. 


Figure  8:  Flyable  aircraft  roundabout 

Verification  results  for  roundabout  aircraft  maneuvers  [34,  7,  28,  25]  and  the  European  Train 
Control  System  (ETCS)  [29]  are  in  Tab.  2.  Results  are  from  a  2.6GHz  AMD  Opteron  with  4GB 
memory.  Memory  consumption  of  quantifier  elimination  is  shown  in  Tab.  2,  excluding  the  graph¬ 
ical  front-end.  The  results  are  only  slightly  worse  on  a  2  year  old  laptop  with  1.7GHz  and  1GB. 
We  handle  all  variables  symbolically.  The  dimension  of  the  continuous  state  space  is  indicated. 


6  Related  Work 

Other  authors  [33,  32,  30]  have  already  argued  that  invariant  techniques  scale  to  more  general 
dynamics  than  explicit  reach- set  computations  or  techniques  that  require  solutions  for  differential 
equations  [13,  24,  26].  Flowever,  they  [33,  32]  cannot  handle  hybrid  systems  with  inequalities  in 
initial  sets  or  switching  surfaces,  which  occur  in  most  real  applications  like  aircraft  maneuvers. 
Barrier  certificates  [30]  only  work  for  inequalities,  but  invariants  of  roundabout  maneuvers  require 
mixed  equations  and  inequalities.  Prajna  et  al.  construct  barrier  certificates  of  a  fixed  degree 
by  global  optimization  over  all  certificates  and  modes  [30].  This  global  approach,  however,  is 
infeasible  for  larger  examples.  Even  with  degree  bound  2,  it  already  requires  solving  a  5848- 
dimensional  optimization  problem  for  train  control  [29]  and  a  10005 -dimensional  problem  for 
roundabouts  with  5  aircraft. 
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Table  2:  Experimental  results 


Case  study 

Time(s) 

Memory  (MB) 

Proof  steps 

Dimension 

tangential  roundabout  (2  aircraft) 

14 

8 

117 

13 

tangential  roundabout  (3  aircraft) 

387 

42 

182 

18 

tangential  roundabout  (4  aircraft) 

730 

39 

234 

23 

tangential  roundabout  (5  aircraft) 

1964 

88 

317 

28 

bounded  speed  entry 

20 

34 

28 

12 

flyable  roundabout  entry  (simplified) 

6 

10 

98 

8 

ETCS-kernel  safety 

41 

28 

53 

9 

ETCS  safety  (simplified) 

56 

27 

147 

15 

ETCS  safety 

183 

87 

169 

15 

ETCS  train  controllability 

1 

6 

17 

5 

RBC  controllability 

1 

7 

45 

16 

Tomlin  et  al.  [34]  derive  saddle  solutions  for  competitive  aircraft  maneuvers  game-theoretically 
using  Hamilton-Jacobi-Isaacs  partial  differential  equations  and  propose  roundabout  maneuvers. 
Their  exponential  state  space  discretizations  for  PDEs,  however,  do  not  scale  to  larger  dimensions 
(they  consider  dimension  3).  Differential  invariants,  instead,  work  for  28-dimensional  systems. 

Straight-line  aircraft  maneuvers  have  been  analyzed  by  geometrical  meta-level  reasoning  [10, 
14,  17].  They  did  not  consider  curved  flight  paths  nor  prove  that  their  maneuvers  are  safe  with  re¬ 
spect  to  actual  hybrid  flight  dynamics.  In  contrast,  our  approach  works  directly  for  the  hybrid  flight 
dynamics,  and  we  verify  curved  roundabout  maneuvers  instead  of  straight-line  maneuvers  with 
non-flyable  instant  turns.  A  few  approaches  [21,7]  have  been  undertaken  to  Model  Check  if  there 
are  orthogonal  collisions  in  discretizations  of  roundabout  maneuvers.  However,  the  counterexam¬ 
ples  found  by  our  model  checker  in  previous  work  [28]  show  that  non-orthogonal  collisions  can 
happen  in  these  maneuvers. 


7  Conclusions  and  Future  Work 

We  have  presented  a  sound  algorithm  for  verifying  hybrid  systems  with  non-trivial  dynamics. 
It  handles  differential  equations  using  differential  invariants  instead  of  requiring  solutions  of  the 
differential  equations,  because  the  latter  quickly  yield  undecidable  arithmetic.  We  compute  differ¬ 
ential  invariants  as  fixedpoints  using  a  verification  logic  for  hybrid  systems.  In  the  logic  we  can 
soundly  decompose  the  system  for  computing  local  invariants  and  we  obtain  sound  recombinations 
into  global  invariants.  Moreover,  we  introduce  a  differential  saturation  procedure  that  verifies  more 
complicated  properties  by  refining  the  system  dynamics  in  a  sound  way.  We  validate  our  algorithm 
on  roundabout  collision  avoidance  maneuvers  for  aircraft  and  on  collision  avoidance  protocols  for 
trains. 

Our  algorithm  works  particularly  good  for  fully  parametric  hybrid  systems,  because  their  pa¬ 
rameter  constraints  can  be  combined  faster  to  find  invariants  than  systems  with  a  single  initial 
state,  where  simulation  is  more  appropriate.  We  want  to  validate  this  in  further  experiments.  Dif- 


13 


ferential  induction  and  the  logic  d£  generalize  to  liveness  properties  and  to  systems  with  distur¬ 
bances  [27,  25].  In  future  work,  we  want  to  generalize  the  synthesis  of  corresponding  differential 
(in)variants.  Other  invariant  constructions  for  differential  equations,  e.g.,  [32]  can  be  added  and 
lifted  to  hybrid  systems  using  our  uniform  algorithm. 

Acknowledgments.  We  thank  Silke  Wagner  and  Alex  Donze  for  their  helpful  proofreading  re¬ 
marks. 


References 

[1]  Rajeev  Alur  and  George  J.  Pappas,  editors.  HSCC,  volume  2993  of  LNCS.  Springer,  2004. 

[2]  Hirokazu  Anai  and  Volker  Weispfenning.  Reach  set  computations  using  real  quantifier  elim¬ 
ination.  In  Maria  Domenica  Di  Benedetto  and  Alberto  L.  Sangiovanni-Vincentelli,  editors, 
HSCC ,  volume  2034  of  LNCS,  pages  63-76.  Springer,  2001. 

[3]  Eugene  Asarin,  Thao  Dang,  and  Antoine  Girard.  Reachability  analysis  of  nonlinear  systems 
using  conservative  approximation.  In  Oded  Maler  and  Amir  Pnueli,  editors,  HSCC,  volume 
2623  of  LNCS,  pages  20-35.  Springer,  2003. 

[4]  Alberto  Bemporad,  Antonio  Bicchi,  and  Giorgio  Buttazzo,  editors.  HSCC,  volume  4416  of 
LNCS.  Springer,  2007. 

[5]  Edmund  M.  Clarke.  Program  invariants  as  fixedpoints.  Computing,  2 1(4): 273-294,  1979. 

[6]  George  E.  Collins  and  H.  Hong.  Partial  cylindrical  algebraic  decomposition  for  quantifier 
elimination.  J.  Symb.  Comput.,  12(3):299-328,  1991. 

[7]  Werner  Damm,  Guilherme  Pinto,  and  Stefan  Ratschan.  Guaranteed  termination  in  the  verifi¬ 
cation  of  LTL  properties  of  non-linear  robust  discrete  time  hybrid  systems.  In  Doron  Peled 
and  Yih-Kuen  Tsay,  editors,  ATVA,  volume  3707  of  LNCS,  pages  99-1 13.  Springer,  2005. 

[8]  Jennifer  Mary  Davoren  and  Anil  Nerode.  Logics  for  hybrid  systems.  Proc.  IEEE,  88(7),  July 
2000. 

[9]  Alexandre  Donze  and  Oded  Maler.  Systematic  simulation  using  sensitivity  analysis.  In 
Bemporad  et  al.  [4],  pages  174-189. 

[10]  Gilles  Dowek,  Cesar  Munoz,  and  Victor  A.  Carreno.  Provably  safe  coordinated  strategy  for 
distributed  conflict  resolution.  InAIAA  Conference  Proc.  AIAA-2005-6047,  2005. 

[11]  Melvin  Fitting.  First-Order  Logic  and  Automated  Theorem  Proving.  Springer,  New  York, 
second  edition,  1996. 

[12]  Melvin  Fitting  and  Richard  L.  Mendelsohn.  First-Order  Modal  Logic.  Kluwer  Academic 
Publishers,  Norwell,  MA,  USA,  1999. 


14 


[13]  Martin  Franzle.  Analysis  of  hybrid  systems.  In  Jorg  Flum  and  Mario  Rodrfguez-Artalejo, 
editors,  CSL,  volume  1683  of  LNCS,  pages  126-140.  Springer,  1999. 

[14]  Andre  L.  Galdino,  Cesar  Munoz,  and  Mauricio  Ayala-Rincon.  Formal  verification  of  an 
optimal  air  traffic  conflict  resolution  and  recovery  algorithm.  In  Daniel  Leivant  and  Ruy 
de  Queiroz,  editors,  WoLLIC ,  volume  4576  of  LNCS,  pages  177-188.  Springer,  2007. 

[15]  David  Harel,  Dexter  Kozen,  and  Jerzy  Tiuryn.  Dynamic  logic.  MIT  Press,  2000. 

[16]  Thomas  A.  Henzinger.  The  theory  of  hybrid  automata.  In  LICS ,  pages  278-292.  IEEE,  1996. 

[17]  Inseok  Hwang,  Jegyom  Kim,  and  Claire  Tomlin.  Protocol-based  conflict  resolution  for  air 
traffic  control.  Air  Traffic  Control  Quarterly,  15(1),  2007. 

[18]  Ruggero  Lanotte  and  Simone  Tini.  Taylor  approximation  for  hybrid  systems.  In  Morari  and 
Thiele  [22],  pages  402-416. 

[19]  Carolos  Livadas,  John  Lygeros,  and  Nancy  A.  Lynch.  High-level  modeling  and  analysis  of 
TCAS.  Proc.  IEEE  -  Special  Issue  on  Hybrid  Systems:  Theory  &  Applications,  88(7):926- 
947,  2000. 

[20]  Elizabeth  L.  Mansfield.  Differential  Grobner  Bases.  PhD  thesis,  University  Sydney,  1991. 

[21]  Mieke  Massink  and  Nicoletta  De  Francesco.  Modelling  free  flight  with  collision  avoidance. 
In  ICECCS,  pages  270-280.  IEEE  Computer  Society,  2001. 

[22]  Manfred  Morari  and  Lothar  Thiele,  editors.  HSCC,  volume  3414  of  LNCS.  Springer,  2005. 

[23]  Pablo  A.  Parrilo.  Semidefinite  programming  relaxations  for  semialgebraic  problems.  Math. 
Program.,  96(2):293-320,  May  2003. 

[24]  Carla  Piazza,  Marco  Antoniotti,  Venkatesh  Mysore,  Alberto  Policriti,  Franz  Winkler,  and 
Bud  Mishra.  Algorithmic  algebraic  model  checking  I:  Challenges  from  systems  biology.  In 
Kousha  Etessami  and  Sriram  K.  Rajamani,  editors,  CAV,  volume  3576  of  LNCS,  pages  5-19. 
Springer,  2005. 

[25]  Andre  Platzer.  Differential  algebraic  dynamic  logic  for  differential  algebraic  programs.  Sub¬ 
mitted,  http  :  //www .  symbic  .  net /pub/DAL  .  pdf,  2007. 

[26]  Andre  Platzer.  Differential  dynamic  logic  for  verifying  parametric  hybrid  systems.  In  Nicola 
Olivetti,  editor,  TABLEAUX,  volume  4548  of  LNCS,  pages  216-232.  Springer,  2007. 

[27]  Andre  Platzer.  Differential  dynamic  logic  for  hybrid  systems.  J.  Autom.  Reasoning,  2008. 
Accepted  for  publication,  http  :  /  /www .  symbic  .  net /pub/  f  reedL .  pdf. 

[28]  Andre  Platzer  and  Edmund  M.  Clarke.  The  image  computation  problem  in  hybrid  systems 
model  checking.  In  Bemporad  et  al.  [4],  pages  473-486. 


15 


[29]  Andre  Platzer  and  Jan-David  Quesel.  Logical  verification  and  systematic  parametric  analysis 
in  train  control.  In  Magnus  Egerstedt  and  Bud  Mishra,  editors,  HSCC ,  LNCS.  Springer,  2008. 
Long  report  at  http  :  /  / www .  symbic .  net /pub/dvpatc  .  pdf. 

[30]  Stephen  Prajna,  Ali  Jadbabaie,  and  George  J.  Pappas.  A  framework  for  worst-case  and 
stochastic  safety  verification  using  barrier  certificates.  IEEE  T.  Automat.  Contr.,  52(8),  2007. 

[31]  Vaughan  R.  Pratt.  Semantical  considerations  on  Floyd-Hoare  logic.  In  FOCS,  1976. 

[32]  Enric  Rodnguez-Carbonell  and  Ashish  Tiwari.  Generating  polynomial  invariants  for  hybrid 
systems.  In  Morari  and  Thiele  [22],  pages  590-605. 

[33]  Sriram  Sankaranarayanan,  Henny  Sipma,  and  Zohar  Manna.  Constructing  invariants  for  hy¬ 
brid  systems.  In  Alur  and  Pappas  [1],  pages  539-554. 

[34]  Claire  Tomlin,  George  J.  Pappas,  and  Shankar  Sastry.  Conflict  resolution  for  air  traffic  man¬ 
agement:  a  study  in  multi-agent  hybrid  systems.  IEEE  T.  Automat.  Contr.,  43(4),  1998. 


16 


A  Semantics  of  Hybrid  Programs  and  Differential  Dynamic 
Logic 

The  semantics  of  d£  is  a  Kripke  semantics  in  which  states  of  the  Kripke  model  are  states  of 
the  hybrid  system.  A  state  is  a  map  v  :  V  — »  M;  the  set  of  all  states  is  denoted  by  State.  We 
write  v  [=  cj)  if  formula  f  is  true  at  state  v  (Def.  6).  Likewise,  \6\v  denotes  the  real  value  of 
term  9  at  state  u.  The  semantics  of  HP  a  is  captured  by  the  state  transitions  that  are  possible  by 
running  a.  For  continuous  evolutions,  the  transition  relation  holds  for  pairs  of  states  that  can  be 
interconnected  by  a  continuous  flow  respecting  the  differential  equation  and  invariant  region.  That 
is,  there  is  a  continuous  transition  along  x'  =  6  A  H  from  state  v  to  state  u,  if  there  is  a  solution  of 
the  differential  equation  x'  =  6  that  starts  in  state  v  and  ends  in  u  and  that  always  remains  within 
the  region  H  during  its  evolution.  As  in  [16,  8],  we  assume  non-zeno  behavior,  for  simplicity. 


Definition  5  (Transition  system  of  hybrid  programs)  The  transition  relation,  p(a),  of  a  hybrid 
program  a,  specifies  which  state  u  is  reachable  from  a  state  v  by  operations  of  a  and  is  defined  as 
follows 

1.  (a,  to)  G  p(x  :=  6)  iff  the  state  to  is  identical  to  v  except  that  u(x)  =  \6\v. 

2.  (u,  ijj)  G  p(x  :=  random)  iff  the  state  to  agrees  with  v  except  for  the  value  of  x,  which  is  an 
arbitrary  real  value. 


3.  (u,t o)  G  p(x[  =  9\  A  •  •  •  A  x'n  =  9n  A  H )  iff  for  some  r  >  0,  there  is  a  (flow)  function 
r]  — >  State  with  93(0)  =  u,  <p(r)  =  to,  such  that, 

•  The  differential  equation  holds,  i.e.,  for  each  xt  and  each  time  (  G  [0,  r], 


d  t 


(C)  -  [ft]*0  • 


•  For  other  variables  y  f  {xi, . . . ,  xn }  and  Q  G  [0,  r),  the  value  remains  constant,  i.e., 

M^C)  =  bl,(0)- 

•  The  invariant  is  always  respected,  i.e.,  <p(()  j—  H  for  each  Q  G  [0,  r], 

4.  p{ a  U  j3)  —  p(a)  U  p{(3) 

5.  p(a]/3)  =  {(z/,c 0)  :  (u,z)  G  p(a),(z,to)  G  p(/3)  for  a  state  z} 

6.  (a,  to)  G  p(a*)  iff  there  are  an  n  G  N  and  v  =  iv0, ...  ,vn  =  to  such  that  (z/*,  ui+i)  G  p(a) 
for  all  0  <  i  <  n. 


Definition  6  (Interpretation  of  d C  formulas)  The  interpretation  \=  of  a  6C  formula  with  respect 
to  state  v  uses  the  standard  meaning  of  first-order  logic: 

1.  y  |=  6>i  ~  6*2  iff  \9i\u  ~  \02\vfor  ~  G  {=,  <,  <,  >,  >} 
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2.  is  \=  (p  Aip  iff  is  |=  (p  and  is  |=  ip,  accordingly  for  V,  — >, 

3.  is  \=  \/x  (p  iff  uj  |=  (pfor  all  u  that  agree  with  is  except  for  the  value  of  x 

4.  is  \=  3xcp  iff  uj  |=  (pfor  some  u  that  agrees  with  is  except  for  the  value  of  x 
It  extends  to  correctness  statements  about  a  HP  a  as  follows 

5.  is  \=  [ a\(p  iff  to  \=  (pfor  all  u  with  (is,  at)  G  p(a) 


B  Proofs 


B.l  Proof  of  Differential  Induction 


For  the  proof  of  Proposition  1,  we  prove  a  result  showing  that  the  directional  derivative  V-pF  of 
formula  F  as  defined  in  Def.  4  is  a  generalization  of  standard  function  derivatives.  We  show  that 
the  directional  derivatives  of  terms  in  V -p  F  in  the  direction  of  the  vector  field  of  V  agree  with 
the  standard  differentiation.  That  is,  they  agree  with  the  differentiation  in  the  Euclidean  real  space 
of  the  value  of  these  terms  along  a  flow  solving  the  corresponding  differential  equation  V.  As  a 
notation  for  the  proof,  we  introduce  an  abbreviation  for  the  terms  occurring  in  Def.  4.  Let  V  be  the 
differential  equation  system  x’x  =  9\  A  •  •  •  A  x'n  =  9n  and  c  a  term.  We  define 

U  f) 

v’<c>  =  ' 
i=l 

For  a  term  c,  Vp(c)  is  a  term.  For  a  formula  F,  the  directional  derivatives  in  Def.  4  can  be  written 
with  this  notation  as 


\7VF  =  y\  (Vx>(6)  ~  Vd(c))  for  ~  e  {=,>,>,<,  <}  • 

(b~c)(E.F 


Lemma  1  Let  V  A  H  be  a  continuous  evolution  and  let  ip  :  [0,r]  — >  State  be  a  corresponding 
flow  of  duration  r  >  0  (Def  5).  Then  we  have  for  all  terms  c  and  all  (  G  [0,  r]  that 

^(C)  =  IVp(c)ly(0  . 

In  particular,  [c]^  is  continuously  differentiable  and  its  derivative  exists  on  [0,  r]. 

Proof:  The  proof  is  by  induction  on  term  c.  Let  V  be  x\  —  d\  A  •  •  •  A  x'n  —  9n. 


•  If  c  is  variable  x3  for  some  j  (for  other  variables,  the  proof  is  simple  because  c  is  constant): 


The  last  equation  holds  as  ^  =  1  and  =  0  for  i  f  j.  The  derivatives  exist  because  <p  is 
(continuously)  differentiable. 
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•  If  c  is  of  the  form  a  +  b,  the  desired  result  can  be  obtained  by  using  the  properties  of  deriva¬ 
tives  and  interpretations: 


d  [Q  +  bi  <p(t)  (n 

d  t 

_  d (M v{t) +  ^ 

d[aU)  d  [6]y(t) 

6t  6t 

=  [Vpfa)]^)  +  [V*,(^(c) 

=  [V2,(a)  +  V2,(6)l„(0 
=  [  V©(a  +  6)]„(0 


[■]^  homomorphism  for  + 

d  . 

—  is  a  linear  operator 

by  induction  hypothesis 
homomorphism  for  + 

d 

V  is  linear,  because  - —  is  linear 

OXi 


•  The  case  if  c  is  of  the  form  a  ■  b  is  accordingly,  using  Leibniz’s  product  rule. 

□ 

Proof  (of  Proposition  1):  We  have  to  show  that  v  |=  F  — >  [D  A  H]F  for  all  states  v.  Let  v 
satisfy  v  |=  F  as,  otherwise,  there  is  nothing  to  show.  We  can  assume  F  to  be  in  disjunctive  normal 
form  and  consider  any  disjunct  G  of  F  that  is  true  at  u.  In  order  to  show  that  F  remains  true  during 
the  continuous  evolution,  it  is  sufficient  to  show  that  each  conjunct  of  G  is.  We  can  assume  these 
conjuncts  to  be  of  the  form  c  >  0  (or  c  >  0  where  the  proof  is  accordingly).  Finally,  using  vectorial 
notation,  we  write  x'  —  6  for  the  differential  equation  system.  Now  let  93  :  [0,  r]  — »■  State  be  any 
flow  of  x'  =  9  A  H  beginning  in  93(0)  =  v  according  to  Def.  5.  If  the  duration  of  93  is  r  =  0,  we 
have  93(0)  |=  c  >  0,  because  v  |=  c  >  0.  For  duration  r  >  0,  we  show  that  c  >  0  holds  all  along 
the  flow  ip,  i.e.,  93(C)  |=  c  >  0  for  all  C  G  [0,  r]. 

Suppose  there  was  a(  6  [0,r]  with  93(C)  f=  c  <  0,  which  will  lead  to  a  contradiction.  The 
function  h  :  [0,  r]  — >  M  defined  as  h(t)  =  [cj^  satisfies  the  relation  h( 0)  >  0  >  h( (),  because 
/?-(°)  =  I4m  =  [cL  and  v  \=  c  >  0  by  assumption  (induction  start  of  Def.  4).  By  Lemma  1 ,  /z  is 
continuous  on  [0,r]  and  differentiable  at  every  £  e  (0,  r).  The  mean  value  theorem  implies  that 
there  is  a  £  E  (0,  ()  such  that  ^^(£)  •  (C  —  0)  =  h(()  —  h( 0)  <  0.  In  particular,  since  C  >  0, 
we  can  conclude  that  ^^(£)  <  0.  Now  Lemma  1  implies  that  ^^(£)  =  [Vx^c)]^  <  0.  This, 
however,  is  a  contradiction,  because  the  induction  step  of  Def.  4  implies  that  H  — >  Vp(c  >  0)  is 
true  in  all  states  (due  to  the  universal  closure  Vc/),  including  93(C)  |=  H  — >  Vp(c  >  0).  In  partic¬ 
ular,  as  93  is  a  flow  for  V  A  Ft,  we  know  that  93(C)  |=  H  holds,  and  we  have  93(C)  |=  Vp(c  >  0), 
which  contradicts  |[Vx»(c)]v>(^)  <0.  □ 


B.2  Proof  of  Differential  Saturation 

Proof  (of  Proposition  2):  Let  F  be  a  continuous  invariant,  which  implies  that  u>  —>  [D  A  H]F 
is  valid.  Let  v  be  a  state  satisfying  u>  (otherwise  there  is  nothing  to  show).  Then,  v  \=  [D  A  H]F. 
Since  this  means  that  F  is  true  all  along  all  flows  93  of  V  A  II  that  start  in  v  (Def.  5),  the  lat¬ 
ter  differential  equation  and  V  A  H  A  F  have  the  same  dynamics  and  the  same  reachable  states 
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from  v,  i.e.,  (u,u)  G  p(V  A  F)  holds  if  and  only  if  {y,u)  G  p( D  A  F  A  F)  (Def.  5).  Thus,  we 
can  conclude  that  tp  — >  [D  A  H](f>  and  ip  — >  [P  A  F  A  F]0  are  equivalent,  because  their  semantics 
uses  the  same  transition  relation.  □ 

B.3  Proof  of  Loop  Saturation 

Proof  (of  Proposition  3):  Let  F  be  a  discrete  invariant  of  A  — >  \a*](j>.  Let,  further,  F  be  a 
discrete  invariant  of  i/j  — >  [a*]  A.  Then  A  — »  F  and  F  — >  [a]  F  are  valid  by  Def.  2.  Hence,  triv¬ 
ially,  F  — >  [a] (II  — >  F)  is  valid,  because  all  states  that  satisfy  F  also  satisfy  the  weaker  prop¬ 
erty  H  — >  F.  Especially,  HAF->  [a]  (F  — ■>  F)  is  valid.  Finally,  the  validity  of  ip  — >  H  A  F 
clearly  entails  i/j  — >  F. 

Conversely,  let,  F  be  a  discrete  invariant.  Let,  further,  HAF->  [a]  (F  — >  F)  and  tp  — >  F  be 
valid.  For  F  A  F  to  be  a  discrete  invariant,  we  have  to  show  that  F  satisfies  the  induction  step 
of  Def.  2  (the  induction  start  ip  — >  F  A  F  is  an  immediate  combination  of  the  validity  of  i/j  — ►  F 
and  'ip  — >  F).  Since  F  is  a  discrete  invariant,  F  — >  [a]F  is  valid,  which  entails  FAF->  [a]F 
as  a  special  case.  Since  FAF^  [a]  (F  — >  F)  is  valid  and  FAF^  [a]F  is  valid,  we  conclude 
that  FAF->  [a]  (F  A  F)  is  valid  for  the  following  reason.  Fet ;/  be  a  state  satisyfing  the  initial 
constraints  F  A  F.  Then  //  |=  [a]F  and  /y  (=  [a](F  — >  F).  Hence,  all  states  cu  reachable  from  v 
by  a  satisfy  u  |=  F  and  c<;  |=  FI  — >  F.  Thus,  they  satisfy  cu  |=  F  A  F,  essentially  by  modus  po- 
nens.  Consequently,  we  have  shown  that  FAF^  [a](F  A  F)  is  valid,  and,  hence,  F  A  F  is  a 
discrete  invariant  of  i/j  — >  [a*]A.  □ 

B.4  Proof  of  Soundness  of  the  Verification  Algorithm 

Proof  (of  Theorem  1):  The  proof  is  by  induction  on  the  structure  of  the  algorithm. 

•  In  the  base  case  (line  1 1  of  Fig.  2),  prove  returns  the  result  of  quantifier  elimination,  which 
is  a  sound  decision  procedure  [6]. 

•  If  a  is  of  the  form  x  :=  6,  the  algorithm  in  line  1  of  Fig.  2  is  responsible.  If  it  returns 
“true”,  then  proved  A  x  =  9  — >  A:);)  has  returned  “true”.  Hence,  by  induction  hypothesis, 

A  x  =  6  — >  (fr*  is  valid.  Now,  because  x  was  a  fresh  variable,  the  substitution  lemma  can 
be  used  to  show  that  A  A$!  and  A  — >  [x  :  =  0]  A  are  valid.  Hence,  the  result  of  prove  is 
sound. 

•  If  a  is  of  the  form  x  :=  random ,  the  algorithm  in  line  9  of  Fig.  2  is  responsible.  Soundness 
can  be  proven  directly  using  the  fact  that  0  being  true  after  all  random  assignments  to  x  is 
equivalent  to  cf)  being  true  for  all  real  values  of  x.  Hence,  ip  — >  [x  random]<j)  is  valid  if  and 
only  if  tp  — >  Vx  (p  is. 

•  The  other  cases  of  Fig.  2  are  accordingly. 

•  If  a  is  of  the  form  V  A  F  for  a  differential  equation  system  D,  the  algorithm  in  Fig.  5  is  re¬ 
sponsible.  If  it  returns  “true”  in  line  3  in  the  first  place,  then  the  calls  prove  in  line  2  must  have 
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resulted  in  “true”,  hence,  by  induction  hypothesis,  H  entails  0.  Thus  postcondition  0  is  true 
in  a  subregion  of  the  evolution  domain  H .  Thus  0  — >  [D  A  H](p  is  valid,  trivially,  because 
all  evolutions  along  V  A  H  always  satisfy  H  and,  hence,  0.  If,  however,  H  was  changed  in 
line  6  during  the  fixedpoint  computation,  then  the  calls  to  prove  for  the  properties  in  line  5 
must  have  returned  “true”.  Thus,  by  induction  hypothesis,  the  d £  formulas  0  A  H  — *  F  and 
\/ci(H  —>  V-pf/7)  j  are  valid,  hence  F  is  a  differential  invariant  of  F  — >  [DA  H]cf>  by  Def.  4. 
Consequently,  by  Proposition  1,  F  also  is  a  continuous  invariant  (Def.  3).  Thus,  by  Proposi¬ 
tion  2,  the  d£  formulas  0  — >  [D  A  II\a>  and  0  — >  [D  A  H  A  F]<p  are  equivalent,  and  we  can 
(soundly)  verify  the  former  by  proving  the  latter.  Consequently,  the  modification  of  the  evo¬ 
lution  domain  H  to  H  A  F  in  line  6  is  sound,  because  the  algorithm  will  continue  proving  a 
refined  but  equivalent  formula  for  a  refined  but  equivalent  system. 

•  If  a  is  a  loop  of  the  form  /?*,  the  proof  is  similar  to  the  case  for  differential  equations,  except 
that  it  uses  Proposition  3  instead  of  Proposition  1. 

□ 


C  Case  Studies 

In  this  section,  we  present  details  on  the  case  studies  that  we  have  verified  with  our  verification 
algorithm.  The  verification  tool1  in  which  we  have  implemented  our  algorithm  and  the  problem 
specification  files  for  the  case  studies2  are  available  online.  As  case  studies,  we  verify  collision 
avoidance  properties  for  flight  control  maneuvers  [34,  19,  21,  7,  10,  28,  14,  17]  and  train  control 
protocols  [29]. 

C.l  Flyable  Tangential  Roundabout  Maneuver 

As  a  case  study,  we  show  how  safety  properties  of  collision  avoidance  maneuvers  in  air  traffic 
management  can  be  verified  with  our  verification  algorithm.  Aircraft  maneuvers  are  challenging 
for  verification  [34,  19,  21,  7,  10,  28,  14,  17],  because  of  the  complicated  spatial/geometrical 
movement  of  aircraft.  Technically,  this  complexity  manifests  in  difficulties  with  analyzing  hybrid 
systems  for  flight  equation  (1)  or  the  equivalently  reparameterized  differential  equation  system  (F). 

On  straight  lines,  i.e.,  where  the  angular  velocity  is  cu  =  0,  the  value  of  sin  i)  and  cos  i)  remain 
constant  during  continuous  evolutions  such  that  the  solutions  of  (1)  are  (possibly  piecewise)  linear 
functions.  For  hybrid  systems  with  linear  evolution  functions,  there  are  well-known  analysis  tech¬ 
niques  [16].  Pure  straight  line  maneuvers  [34,  21, 10,  14, 17]  are  aircraft  maneuvers  with  piecewise 
linear  evolutions,  see,  e.g.,  Fig.  9.  They  assume  instant  turns  for  heading  changes  of  the  aircraft  be¬ 
tween  multiple  straight  line  segments.  Instant  turns,  however,  are  impossible  in  midflight,  because 
they  are  not  flyable:  Aircraft  cannot  suddenly  change  their  flight  direction  from  0  to  45  degrees 
discontinuously  but  need  to  follow  a  smooth  curve  instead,  in  which  they  slowly  gear  towards  the 
desired  direction. 

'Verification  tool  KeYmaera  available  at  http :  //www .  symbic  .  net/info/KeYmaera  .  html 

2 All  case  studies  are  available  at  http :  / / www .  symbic  .  net /pub/ fpdi- examples  .  zip 
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non-flyable  instant  turn 


♦ 


Figure  9:  Non-Flyable  straight  line  maneuver  with  instant  turns 


During  curves,  the  angular  velocity  u  is  non-zero,  which  causes  the  trigonometric  expres¬ 
sions  in  (1)  to  have  a  permanent  non-constant  effect  on  the  dynamics  of  the  system.  Accordingly, 
for  u  0,  the  equivalent  differential  equation  system  (T)  has  transcendental  solutions,  such  that 
reachability  problems  along  these  solutions  fall  into  undecidable  classes  of  arithmetics.  Conse¬ 
quently,  maneuvers  with  curves  like  in  Fig.  8  are  much  more  challenging  for  verification  than 
straight  line  maneuvers  like  Fig.  9,  because  the  flight  equations  (1)  and  (JF)  become  highly  non¬ 
trivial.  To  verify  roundabout  maneuvers  with  curves  like  in  Fig.  4,  our  algorithm  works  with 
differential  invariants  (Def.  4)  instead  of  solutions  of  differential  equations. 


uj  :  =  random 
q  :=  random 


start  — >  free 


Figure  10:  Protocol  cycle  and  construction  of  flyable  roundabout  maneuver 


A  fully  flyable  roundabout  maneuver  is  depicted  in  Fig.  8.  It  does  not  contain  instant  turns,  but 
all  of  its  curves  are  sufficiently  smooth.  The  flyable  roundabout  maneuver  consists  of  the  phases 
in  Fig.  10  which  correspond  to  the  flight  phases  marked  in  Fig.  8. 

During  free  flight,  the  aircraft  move  without  restrictions  by  repeatedly  choosing  arbitrary  new 
angular  velocities  uj  and  g  (in  phase  free).  When  they  come  closer,  the  aircraft  agree  on  a  round¬ 
about  maneuver  by  negotiating  a  common  roundabout  center  c  (in  the  coordination  phase  tang). 
Next,  the  aircraft  approach  the  roundabout  circle  by  a  right  curve  with  uj  <  0  ( entry  mode).  During 
the  circ  mode,  the  aircraft  follow  the  circular  roundabout  maneuver  around  the  agreed  center  c  with 
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a  left  curve  of  common  angular  velocity  u.  Finally,  the  aircraft  leave  the  circular  roundabout  in 
cruise  mode  (u  =  0)  into  their  original  direction  (exit)  and  enter  free  flight  again  when  they  have 
sufficient  distance.  The  maneuver  is  symmetric  when  exchanging  left  and  right  curves. 

C.1.1  Verification  Overview. 

We  pursue  the  following  overall  verification  plan  by  verifying,  subsequently: 

1.  Tangential  roundabout  maneuver:  Prove  that  the  protected  zones  of  aircraft  are  safely  sepa¬ 
rated  at  all  times  during  the  whole  maneuver  when  using  a  simplified  entry  operation. 

2.  Bounded  entry  speed :  Prove  that  linear  speeds  are  bounded  for  the  overall  maneuver. 

3.  Fly  able  entry  procedure:  Prove  that  the  simplified  entry  procedure  can  be  replaced  by  a 
flyable  curve. 

4.  Entry  separation :  Prove  that  the  protected  zone  is  respected  during  flyable  entry  procedure. 

We  present  details  on  these  verification  tasks  in  the  sequel.  Informally,  the  property  in  case  4  is 
a  consequence  of  the  bounded  speed  and  bounded  duration  of  the  flyable  entry  procedure  when 
initiating  the  negotiation  phase  tang  with  sufficient  distance.  For  the  time  being,  we  did  not  yet 
verify  case  4  formally. 

C.1.2  Tangential  Roundabout  Maneuver. 

First,  we  prove  that  the  tangential  roundabout  maneuver  safely  avoids  collisions,  i.e.,  the  aircraft 
always  maintain  a  safe  distance  >p  during  the  curved  flight  in  the  roundabout  circle.  In  addition, 
we  verify  that  arbitrary  repetitions  of  the  protocol  cycle  are  safe  at  all  times  for  a  simplified  choice 
of  the  entry  maneuver. 

The  flight  equations  for  aircraft  x  are  denoted  by  T(u)),  i.e.,  the  upper  equations  of  (IF).  We 
abbreviate  the  differential  equations  for  aircraft  y  by  Q(q)  for  the  lower  equations  of  (IF). 

The  model  and  specification  for  this  tangential  roundabout  are  given  in  Fig.  11.  There,  safety 
property  for  collision  avoidance  maneuvers  expresses  that  protected  zones  are  respected  dur¬ 
ing  the  flight  (specified  by  separation  property  f).  The  flight  controller  (, trm *)  performs  collision 
avoidance  maneuvers  by  tangential  roundabouts  and  repeats  these  maneuvers  any  number  of  times 
as  needed.  During  each  trm  phase,  the  aircraft  first  perform  free  flight  (free)  by  (repeatedly)  in¬ 
dependently  adjusting  their  angular  velocities  cc  and  o  while  they  are  safely  separated,  which  is 
expressed  by  conjunct  f  of  the  differential  equation.  Due  to  invariant  region  o  of  free,  the  tan¬ 
gential  roundabout  maneuver  must  be  initiated  (by  a  tangential  initiation  controller  tang )  before 
the  flight  paths  become  unsafe.  Then,  the  tangential  roundabout  maneuver  itself  is  carried  out  by 
the  differential  equation  IF(uj)  A  Q(ui)  according  to  some  common  angular  velocity  u)  determined 
by  tang.  Finally,  the  collision  avoidance  roundabouts  can  be  left  again  by  repeating  the  loop  trm* 
and  entering  arbitrary  free  flight  at  any  time.  When  further  conflicts  occur  during  free  flight,  the 
controller  in  Fig.  1 1  again  enters  roundabout  conflict  resolution  maneuvers. 
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ip  =  (j)  — >  [trm*]0 

<P  =  ||^i  —  2/||2  >P2  =  {xi  -  yi)2  +  (x2  -  y2)2  >  P 2 
trm  =  /ree;  tang;  .F(u;)  A  C/(u;) 

/ree  =  (ou random]  o  random:  J7 (u)  A  Q (p)  A  (p)* 
tang  =  u\— random]  c:—  random] 

di  :=  - (jj(x2  -  c2);  d2  :=  uj(x1  -  Ci); 
ei  :=  —a; (2/1  -  ci);  e2  :=  a; (2/2  -  c2) 

Figure  1 1 :  Flight  control  with  tangential  roundabout  collision  avoidance  maneuvers 


In  summary,  property  xp  of  Fig.  1 1  expresses  that  the  aircraft  remain  safe  during  the  flight, 
especially  during  evasive  roundabout  maneuvers.  Our  verification  results  for  this  property  are 
indicated  in  row  1  of  Tab.  2.  The  next  rows  in  Tab.  2  prove  a  corresponding  property  for  up 
to  5  aircraft,  which  jointly  participate  in  the  roundabout  maneuver.  There,  the  safety  property 
is  mutual  collision  avoidance,  i.e.,  each  of  the  aircraft  has  a  safe  distance  >p  to  ah  the  other 
aircraft.  For  instance,  Fig.  12  contains  the  system  and  separation  property  specification  for  the 
roundabout  maneuver  with  4  aircraft.  There,  property  xp  expresses  that  the  4  aircraft  at  x,  y,  z 
and  u,  respectively,  keep  mutual  distance  >p,  which  gives  a  quadratic  number  of  constraints.  This 
quadratic  increase  in  the  property  that  actually  needs  to  proven  for  a  safe  roundabout  of  n  aircraft 
causes  the  increased  verification  times  for  more  aircraft  in  Tab.  2. 

C.1.3  Bounded  Speed. 

The  tangential  roundabout  maneuver  in  Fig.  1 1  maintains  collision  avoidance  for  ah  its  chocies  of 
center  c  and  angular  velocity  uj  in  tang.  Next,  we  show  that  there  always  is  a  choice  respecting 
external  requirements  on  linear  speed  (aircraft  can  neither  fly  too  slow  nor  too  fast).  Hence,  for  ah 
external  choices  of  the  linear  speed  v,  there  is  a  choice  for  the  options  in  tang  such  that  the  velocity 
is  v: 

Vu  (4>  — ■>  ( tang)(<p  A  d\  +  d\  =  v2))  . 

The  verification  results  for  this  property  are  indicated  in  line  5  of  Tab.  2. 

C.1.4  Fly  able  Entry  Procedure. 

In  order  to  generalize  the  verification  results  about  the  tangential  roundabout  maneuver  with  sim¬ 
plified  entry  procedures  to  the  fully  flyable  tangential  roundabout  maneuver,  we  analyze  a  flyable 
entry  procedure,  which  replaces  our  simple  choice  of  entry  in  Fig.  11  and  Fig.  12. 

A  flyable  entry  maneuver  that  follows  the  smooth  entry  curve  from  Fig.  8  is  depicted  in  Fig.  13. 
Its  construction  uses  the  anchor  point  h  indicated  in  Fig.  10.  Anchor  h  is  positioned  relative  to 
the  roundabout  center  c  and  the  x  position  at  the  start  of  the  entry  curve  (i.e.,  with  x  at  the  right 
angle  indicated  in  Fig.  10).  The  property  in  Fig.  13  specifies  that  the  tangential  configuration  of  the 
simple  choice  for  tang  in  Fig.  1 1  can  be  reached  by  a  flyable  curve  when  waiting  until  x  and  center  c 


24 


ip  =  (j)  — >■  [?rm*](/> 

0  =  (®i  -  Pi)2  +  (®2  -  P2)2  >  P2  A  (pi  -  ^i)2  +  (p2  -  -2)2  >  P2 
A  (xi  -  £i)2  +  (x2  -  z2)2  >  P2  A  (xi  -  Mi)2  +  (x2  ~  M2)2  >  P2 
A  (pi  -  Mi)2  +  (p2  -  M2)2  >  P2  A  (zi  -  Mi)2  +  (z2  -  m2)2  >  p2 
frm  =  free:  tang ; 

x)  —  d\  A  x2  =  d2  A  d)  =  —ujxd2  A  d2  =  0Jxd\ 

A  p^  =  ei  A  P2  =  e2  A  e)  =  —uye2  A  =  cc^ei 

A  ^  =  /1  A  4  =  h  A  f[  =  ~uzf2  A  f2  =  uzfi 
A  Mi  =  Pi  A  m'  =  p2  A  p)  =  -c vug2  A  g2  =  ccupi 
/ree  =  (ux:=  random;  uy  :=  random;  uz:=  random;  uju  random; 
x\  —  d\  A  x'2  =  d2  A  d\  =  —ujxd2  A  d2  =  cuxdi 

A  Pi  =  ei  A  y2  =  e2  Ae\  —  —uye2  A  e2  =  ujye\ 

A  z[  =  /1  A  4  =  h  A  f[  =  -uzf2  A  f2  —  uzfi 
A  u[  =  pi  A  u2  =  g2  A  g[  =  -uug2  A  g2  =  uug±  A  0)* 
tang  =  u  :=  random;  c  :=  random; 

di  :=  -cm(x2  -  c2);  d2  :—uj(xi  -  ci); 

O  :=  — m;(pi  —  Ci);  e2  :=  cu(p2  —  C2); 
fi  ■=  -v(zi  -  Cl);  f2  :=  u(z2  -  c2); 
pi  :=  -cc(mi  -  ci);  p2  :=  cm(m2  -  c2) 

Figure  12:  Tangential  roundabout  collision  avoidance  maneuver  (4  aircraft) 

have  distance  r.  The  existence  of  a  choice  for  the  anchor  point  h  satisfying  the  requirements  in 
Fig.  13  can  be  shown  by  proving  the  following  d £  diamond  formula: 

( h  :=  random; 

?(di  =  lu(x2  -  h2)  Ad2  =  —u(x  1  -  hi))] 

?((/?i  —  ci)2  +  (h2  —  c2)2  =  (2r)2); 

?(r2  =  (xi  —  hi)2  +  (x2  —  h2)2); 

)  true 

This  property  can  be  verified  together  with  that  in  Fig.  13  in  a  simplified  version.  To  overcome 
the  complexity  of  real  quantifier  elimination  [6],  which  is  doubly  exponential  in  the  number  of 
quantifier  alternations,  we  use  symmetry  reduction  to  simplify  the  property  in  Fig.  13. 

Without  loss  of  generality,  we  can  recenter  the  coordinate  system  to  have  c  at  position  0.  Fur¬ 
ther,  we  can  assume  aircraft  x  to  come  from  the  left  by  changing  the  orientation  of  the  coordinate 
system.  Finally,  we  can  assume,  without  loss  of  generality,  the  linear  speed  to  be  1  (by  rescaling 
units  appropriately).  Observe  that  we  cannot  fix  a  value  for  both  the  linear  speed  and  the  angular 
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[h  :=  random ; 

?(di  =  cu(x2  -  ^2)  A  d2  =  —u(xi  -  hi)); 

?((/*!- Cl)2  +  (/*2  -  c2)2  =  (2 r)2); 

?(r2  =  (xi  -  Z^)2  +  (x2  -  h2)2); 

x'i  —  d\  A  x2  =  d2  A  d'i  =  cud2  A  d2  =  — cudi  A  ((xi  —  C1)2  +  (x2  —  c2)2  >  r2) 

]( 

(xi  -  Cl)2  +  (x2  -  c2)2  >  r2 
V  (di  =  -lu(x2  -  c2)  A  d2  =  uj(xi  -  Ci)) 


Figure  13:  Fly  able  entry  procedure 


velocity,  because  their  units  are  interdependent.  In  other  words,  if  we  fix  the  linear  speed,  we  need 
to  consider  all  angular  velocities  to  verify  all  possible  curve  radii  r  for  the  roundabout  maneuver. 
The  x  position  resulting  from  these  symmetry  reductions  can  be  determined  as  follows,  see  Fig.  10: 

x  =  (0,  2 r  cos  ^-)  =  (0,  yj (2r)2  —  r2)  =  (0,  \/Sr)  . 

6 

To  express  the  square  root  functoin,  we  can  easily  use  a  random  assignment  for  x2  with  a  test 
condition  xf  =  (  \/3r)2  =  3 r2.  Consequently,  we  simplify  Fig.  13  by  specializing  to  the  following 
situation: 


d\  :=  1;  d2  :=  0;  ci  :=  0;  c2  :=  0; 
x2  :=  0; 

r  :=  random ;  ?r  >  0;  u>  :=  1/r; 

X\  :=  random ;  lx\  =  3r2  A  x\  <  0; 

Verification  results  for  the  resulting  entry  procedure,  including  the  proof  of  existence  of  a  corre¬ 
sponding  anchor  point  h  are  shown  in  Tab.  2. 

C.2  European  Train  Control  System  (ETCS) 

The  European  Train  Control  System  (ETCS)  is  a  standard  to  assure  safe  operation  of  trains  and  high 
throughput  of  high  speed  trains.  ETCS  level  3  follows  the  moving  block  principle ,  i.e.,  movement 
authorities  are  not  known  beforehand  but  determined  based  on  the  current  track  situation  by  a 
Radio  Block  Controller  (RBC).  Trains  are  only  allowed  to  move  within  their  current  movement 
authority  block  (denoted  by  m),  which  can  be  updated  by  the  RBC  using  wireless  communication. 
Hence  the  train  controller  needs  to  regulate  the  movement  of  a  train  locally  such  that  it  always 
remains  within  m,  see  Fig.  14. 
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The  properties  in  Tab.  2  prove  safety  and  controllability  properties  of  the  parametric  ETCS 
protocol.  The  ETCS  system  model  is  given  in  Fig.  15.  We  refer  to  [29]  for  details  on  this  case  study. 
The  properties  in  Tab.  2  correspond  to  the  respective  propositions  in  previous  work  [29].  Note  that 
the  algorithm  that  we  introduced  in  this  paper  computes  the  invariants  for  ETCS  automatically, 
which  had  to  be  provided  manually  in  [29] . 


Figure  14:  ETCS  train  coordination  protocol 


D  Additional  Algorithms 

The  algorithm  in  Fig.  16  verifies  loops.  It  is  a  direct  adaption  of  that  in  Fig.  5,  except  that  it  uses 
Proposition  3  as  an  induction  step  for  loops.  The  algorithm  in  Fig.  16  performs  a  fixedpoint  compu¬ 
tation  for  loops  and  recursively  combines  the  local  differential  invariants  obtained  by  differential 
saturation  to  form  a  global  invariant.  It  recursively  uses  prove  for  verifying  its  subtasks,  which 
handle  the  discrete  switching  behavior  according  to  Fig.  2  and  infer  local  differential  invariants 
according  to  differential  saturation  by  the  fixedpoint  algorithm  in  Fig.  5. 


E  Proof  Rules  of  the  d C  Sequent  Calculus 

In  this  section,  we  briefly  summarize  the  sequent  calculus  for  d£  [26]. 

A  sequent  is  of  the  form  TEA,  where  the  antecedent  T  and  succedent  A  are  finite  sets  of 
formulas.  Its  semantics  is  that  of  the  formula  f\0(.r  O  — ►  Vy.e a  Sequents  will  be  treated  as  an 
abbreviation. 

The  dC  calculus  uses  substitutions.  The  result  of  applying  to  0  the  substitution  that  replaces  xt 
by  6  is  defined  as  usual;  it  is  denoted  by  (f)ex.  In  the  d£  calculus,  only  admissible  substitutions  are 
applicable,  which  is  crucial  for  soundness.  We  assume  o-conversion  for  renaming  as  needed. 

Definition  7  (Admissible  substitution)  An  application  of  a  substitution  a  is  admissible  if  no  re¬ 
placed  term  t  occurs  in  the  scope  of  a  quantifier  or  modality  binding  a  variable  of  at  or  t.  A 
modality  binds  x  if  it  contains  an  assignment  x  :  =  6  or  a  differential  equation  containing  x' . 

As  usual  in  sequent  calculus — although  the  direction  of  entailment  is  from  premisses  (above  rule 
bar)  to  conclusion  (below) — the  order  of  reasoning  and  reading  is  goal-directed  in  practice:  Rules 
are  applied  in  tableau-style,  that  is,  starting  from  the  desired  conclusion  at  the  bottom  (goal)  to 
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spec  :  t.v 2  —  m.d 2  <  2b(m.e  —  r.p)  A  t.v  >  0  A  m.d  >  0  A  b  >  0 
— >  [ETCS] (r.p  >  m.e  — ■>  t.v  <  m.d ) 

ETCS  :  (train  Urbc)* 
train  :  spd;  atp;  move 

spd  :  (It.v  <  m.r;  r.a  :—  *•  ?  —  b  <  r.a  <  A) 

U (It.v  >  m.r;  r.a  :=  *;  ?0  >  r.a  >  —b) 
atp  :  SB  :=  +  (f  +  l)  (fe2  +  £  r.u); 

(?(m.e  —  r.p  <  SB  V  rbc.message  =  emergency );  r.a  :=  —6) 
U(?m.e  —  r.p  >  SB  A  rbc.message  ^  emergency) 
move  :  t  :=  0;  (r.p'  =  t.v ,  t.v'  =  T.a,  if  —  1  A  t.v  >  0  A  t  <  e) 
rbc  :  ( rbc.message  :=  emergency ) 

U  (m0  :=  m;  m  :=  *; 

?m.r  >  0  A  m.d  >  0  A  m0.d2  —  m.d2  <  2b(m.e  —  m0.e)) 

Figure  15:  Formal  model  of  parametric  ETCS  cooperation  protocol 


1  function  proved  — 5 ► 

2  H  :=  true  /*  currently  known  invariant  of  — >  [a*]4>  */ 

3  if  prove  (Vc/(iT  — >  0) )  then 

4  return  true  /*  correctness  property  proven  */ 

5  for  each  F  GlndCandidates  >  [a*]<t> ,  H )  do 

6  if  prove  (ip  A  H  — >  F)  and  pro ve  ( Vc/(if  A  F  — >  [a](iT  — >  F)) )  then 

7  H  :=  H  A  F  /*  refine  by  discrete  invariant  */ 

8  goto  3;  /*  repeat  fixedpoint  loop  */ 

9  end  for 

10  return  ’’not  provable  using  candidates” 

Figure  16:  Fixedpoint  algorithm  for  discrete  loop  invariants  (loop  saturation) 
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the  resulting  premisses  (sub-goals).  The  proof  rules  of  the  d C  calculus  are  depicted  in  Fig.  17. 
The  calculus  consists  of  propositional  rules  (P-rules),  first-order  quantifier  rules  (F-rules),  rules  for 
dynamic  modalities  (D-rules),  and  global  rules  (G-rules). 

For  propositional  logic,  standard  P-rules  are  listed  in  Fig.  17.  Unlike  in  uninterpreted  first- 
order  logic  [11,  12],  quantifiers  are  dealt  with  using  quantifier  elimination  (QE)  over  the  reals  [6]. 
Compatibility  with  dynamic  modalities  is  established  using  side  deductions  for  the  F-rules. 

The  D-rules  handle  HP  by  successively  transforming  them  into  logical  formulas.  State  checks 
like  1H  are  shown  by  assuming  the  test  suceeds,  i.e.,  H  holds  true  (D4),  nondeterministic  choices 
split  into  their  alternatives  (Dl),  a ;  (3  is  proven  using  nested  modalities  (D2),  and  random  assign¬ 
ments  are  handled  by  universal  quantification  (D5).  D3  uses  substitutions  for  handling  discrete 
change.  Rules  D6-D7  are  weakening  and  strengthening  rules  for  DAF,  respectively. 

The  G-rules  are  global  rules.  They  depend  on  the  truth  of  their  premisses  in  all  states,  which 
is  ensured  by  the  universal  closure  with  respect  to  all  free  variables.  If  xi, ...  ,xn  are  the  free 
variables  of  T,  then  Vaq  . . .  VTy,  <3>  is  its  universal  closure.  The  G-rules  are  given  in  a  form  that 
best  displays  their  underlying  logical  principles.  The  general  pattern  for  applying  G-rules  to  prove 
that  the  succedent  of  their  conclusion  holds  is  to  prove  that  both  the  antecedent  of  their  conclusion 
and  their  premiss  holds.  Formally  such  derived  rules  can  be  obtained  using  a  cut  (RIO).  Cuts  are 
not  needed  in  practice. 

G1  is  a  generalisation  rule.  G2  is  a  discrete  induction  schema  for  repetitions  with  inductive 
invariant  F.  G2  says  that  F  holds  after  any  number  of  repetitions  of  a,  if  it  holds  initially  and  is 
sustained  after  each  execution  of  a. 

G3  is  a  rule  for  differential  induction ,  which  is  a  continuous  form  of  induction  along  differential 
constraints.  The  induction  rules  G2  and  G3  differ  in  the  way  the  invariant  remains  true  once  it  is 
true  initially.  G2  uses  the  inductive  nature  of  repetition.  G3,  instead,  uses  continuity  of  evolution 
and  the  differential  equation  for  a  continuous  induction  step  with  the  differential  invariant  F: 
If  F  holds  initially  (antecedent  of  conclusion)  and  its  gradient  V F  ■  V  (see  Def.  4  on  page  6) 
satisfies  the  same  relations  when  taking  into  account  the  differential  constraints  (premiss),  then  F 
itself  is  sustained  differentially  (succedent  of  conclusion).  Finally,  G-rules  can  be  combined  with 
generalisation  (Gl)  to  strengthen  postconditions  as  needed. 

Definition  8  (Provability)  A  formula  ip  is  provable  from  a  set  $  of  formulas,  denoted  by  T  F  ac  ip 
iff  there  is  a  finite  set  To  C  <f>  for  which  the  sequent  To  h  ip  is  derivable.  In  turn,  a  sequent  T  h  T 
is  derivable  iff  there  is  an  inference  rule  of  the  d £  calculus  (Fig.  17)  with  conclusion  (l>  F  T  such 
that  all  premisses  of  the  rule  are  derivable. 
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In  all  rule  schemata,  a//  substitutions  need  to  be  admissible.  In  D6-D7,  V  is  a  differential  equation 
and  x  an  arithmetic  formula.  In  G3,  F  is  first-order  without  negative  equalities.  For  F-rules, 
the  r,:  b  Aj  are  obtained  from  the  resulting  sub-goals  of  a  side  deduction,  see  (*)  in  Fig.  18. 
The  side  deduction  is  started  from  the  goal  V  b  A,  0  at  the  bottom  (or  T,  0  b  A  for  F2  and  F4), 
where  x  is  assumed  not  to  occur  in  T,  A  using  renaming.  In  the  resulting  sub-goals  Tj  b  A*, 
variable  x  is  assumed  to  occur  in  first-order  formulas  only,  as  quantifier  elimination  (QE)  is  then 
applicable. 


Figure  17:  Rule  schemata  of  the  d C  calculus. 


(*) 


Figure  18:  Side  deduction  for  quantifier  elimination  rules. 
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